Magento 2 @escapeNotVerified

43

6

Marius

Posted 2015-12-08T08:25:52.637

Reputation: 150 497

14Hey...Why the downvote? I'm not allowed to ask questions? – Marius – 2015-12-08T12:07:54.273

Answers

59

This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.

In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:

  • \Magento\Framework\View\Element\AbstractBlock::escapeHtml
  • \Magento\Framework\View\Element\AbstractBlock::escapeUrl
  • \Magento\Framework\View\Element\AbstractBlock::escapeXssInUrl
  • \Magento\Framework\View\Element\AbstractBlock::escapeQuote

Also note that some output is considered safe and should not be marked with such annotations:

  • Enclosed in single quotes
  • Enclosed in double quotes but without variables
  • Type casting to bool, int
  • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML

Alex Paliarush

Posted 2015-12-08T08:25:52.637

Reputation: 9 012

2Greats answer @Alex – Amit Bera – 2015-12-08T09:24:30.047

Good Ans +1 @Alex :) – Rama Chandran M – 2018-03-09T02:40:30.283

18

I find it in devdocs of Magento2

Static Test

To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to dev\tests\static\testsuite\Magento\Test\Php.

This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.

It covers the following cases:

  • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.

  • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.

Read the Magento Docs at 2.0 or 2.1

Bill

Posted 2015-12-08T08:25:52.637

Reputation: 2 002